Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A system, comprising: at least one memory to store at least one key associated to a first client of a plurality of clients; a first computing device configured as an encryption gateway to communicate with the first client using a client-side transport protocol, and to communicate with a remote cloud storage or server using a remote-side transport protocol, the first computing device comprising at least one processor, and the first computing device further configured to: authenticate the first client using at least one authentication factor, receive data in a payload from the first client, decrypt the received data using the client-side transport protocol to provide first decrypted data, encrypt the first decrypted data using the at least one key to provide first encrypted data, encrypt the first encrypted data using the remote-side transport protocol to provide second encrypted data, and send the second encrypted data to the remote cloud storage or server; and a key manager configured to provide the at least one key to the encryption gateway for storage in the at least one memory.
A system encrypts data sent from clients to remote cloud storage. It includes an encryption gateway (a computer) and a key manager. The gateway authenticates clients, receives data from a client, decrypts the client-side encryption, re-encrypts the data using a key from the key manager, and then encrypts it again using a remote-side transport protocol before sending it to the cloud storage. The key manager provides encryption keys to the gateway. The gateway stores keys specific to each client.
2. The system of claim 1 , wherein the remote-side transport protocol is transport layer security or Internet protocol security.
The system described in Claim 1 uses Transport Layer Security (TLS) or Internet Protocol Security (IPSec) as the remote-side transport protocol to secure data transfer between the encryption gateway and the remote cloud storage or server.
3. The system of claim 1 , wherein the encryption gateway receives authentication information from the first client for requesting at least one key from the key manager.
In the system from Claim 1, when a client connects to the encryption gateway, it sends authentication information which the gateway then uses to request a specific encryption key from the key manager.
4. The system of claim 1 , wherein the encryption gateway uses symmetric encryption with authentication to encrypt the first decrypted data using the at least one key.
The system described in Claim 1 uses symmetric encryption with authentication to encrypt the decrypted data from the client using the key obtained from the key manager. This provides both confidentiality and integrity.
5. The system of claim 1 , wherein the key manager loads the at least one key into the encryption gateway via a secure port of the first computing device or over a client-side network.
In the system from Claim 1, the key manager securely loads encryption keys into the encryption gateway either through a dedicated secure port on the gateway device or over a secured client-side network connection.
6. The system of claim 5 , wherein the at least one key is associated to the first client when loaded by the key manager.
Building on Claim 5, when the key manager loads an encryption key into the encryption gateway, it associates that key specifically with the client who will be using it. This allows the gateway to manage keys on a per-client basis.
7. The system of claim 1 , wherein the key manager communicates with the remote-side transport protocol to determine at least one key for use in the encryption of the data.
In the system from Claim 1, the key manager can communicate using the remote-side transport protocol to determine which encryption key should be used to encrypt the data being sent to the cloud storage.
8. The system of claim 7 , wherein the data is encrypted at a file object level, and at least one key is associated to a file object.
Expanding on Claim 7, the system encrypts data at the individual file object level. Each file object has its own unique encryption key associated with it. The key manager helps determine the key for each file.
9. The system of claim 1 , wherein the encryption gateway negotiates an encrypted connection to the remote cloud storage or server, the encryption gateway negotiates an encrypted connection to the first client, and the first client communicates with the encryption gateway in a client session using the client-side transport protocol.
The system described in Claim 1 establishes secure, encrypted connections between the encryption gateway and both the remote cloud storage and each client. The client interacts with the gateway within an encrypted client session.
10. The system of claim 9 , wherein the encryption gateway decrypts the received data from the first client using a client session key of the client session.
In the system of Claim 9, the encryption gateway decrypts data received from a client using a specific session key tied to the client's current session with the gateway.
11. The system of claim 10 , wherein the first encrypted data is encrypted by the encryption gateway using a cloud session key associated with the encrypted connection to the remote cloud storage or server.
Building on Claim 10, after decrypting data from the client, the encryption gateway encrypts the data again using a second key (cloud session key) that is associated with the encrypted connection established to the remote cloud storage or server.
12. The system of claim 1 , wherein the encryption gateway sets up a transport session with the remote cloud storage or server prior to receiving the payload from the first client, and the encryption gateway uses the transport session for sending data from each of the plurality of clients, including the first client, to the remote cloud storage or server.
In the system from Claim 1, the encryption gateway first establishes a transport session with the remote cloud storage or server before any client data arrives. This pre-established session is then re-used for sending data from multiple clients, improving efficiency.
13. The system of claim 12 , wherein the encryption gateway modifies or inserts a header in a transport connection to associate the first client on a remote connection, or the encryption gateway modifies or inserts a header in a file object to associate the first client on a remote connection.
Using the system of Claim 12, the encryption gateway includes information (a header) to identify which client the data came from, either by modifying a transport connection header or adding a header to the file object itself when communicating with the remote server.
14. The system of claim 1 , wherein the key manager is implemented using the first computing device or a second computing device.
In the system from Claim 1, the key manager, which provides the encryption keys, can be implemented either on the same physical computing device as the encryption gateway itself, or on a separate, dedicated computing device.
15. A method, comprising: storing, in a memory of an encryption gateway, a key associated to a first client of a plurality of clients, the first client communicating with the encryption gateway using a client-side transport protocol; receiving, by the encryption gateway from the first client, a first request to read data or a file object from a remote cloud storage or server, the remote cloud storage or server communicating with the encryption gateway using a remote-side transport protocol; in response to the first request, sending, by the encryption gateway, a second request to the remote cloud storage or server for the data or file object; in response to the second request, receiving, by the encryption gateway, the data or the file object in a first payload from the remote cloud storage or server, wherein the data or the file object has been encrypted using the remote-side transport protocol; decrypting, by at least one processor of the encryption gateway, the received data or the file object in the first payload using the remote-side transport protocol to provide first decrypted data; decrypting, by the encryption gateway, the first decrypted data using the key associated to the first client to provide second decrypted data, wherein the key is retrieved from the memory of the encryption gateway; encrypting, by the encryption gateway, the second decrypted data using the client-side transport protocol to provide first encrypted data; and sending, from the encryption gateway to the first client, the first encrypted data.
A method for securely reading data or file objects from remote cloud storage on behalf of clients: The encryption gateway stores client-specific keys. When a client requests data, the gateway requests that data from the cloud storage. The cloud storage sends the encrypted data to the gateway. The gateway decrypts the data using the remote-side transport protocol, and then decrypts it again using the client-specific key. Finally, the gateway encrypts the data using the client-side transport protocol and sends the encrypted data back to the client.
16. The method of claim 15 , further comprising: terminating, by the encryption gateway, client-side communication with the first client; performing decryption on a transmission control protocol stream of data associated with an encryption algorithm; and receiving data for transport encryption of a second payload that is independent of the first payload.
Building on the method in Claim 15, the encryption gateway terminates the client's connection, decrypts data within a TCP stream that was encrypted using a certain encryption algorithm, and can receive and prepare subsequent data packets for a second, independent payload.
17. A system, comprising: at least one processor of an encryption gateway; and memory storing instructions configured to instruct the at least one processor to: receive, from a first client communicating with the encryption gateway using a client-side transport protocol, data in a payload; decrypt the received data using the client-side transport protocol to provide first decrypted data; receive, from a key manager, at least one key associated to the first client; encrypt the first decrypted data using the at least one key to provide first encrypted data; encrypt the first encrypted data using a remote-side transport protocol associated with a remote cloud storage or server to provide second encrypted data; and send the second encrypted data to the remote cloud storage or server.
A system encrypts data for cloud storage. An encryption gateway has a processor and memory. The memory contains instructions that cause the processor to: receive data from a client, decrypt it using the client-side transport protocol, receive an encryption key from a key manager (specific to that client), re-encrypt the decrypted data with that key, encrypt the result using a remote-side transport protocol, and finally send the doubly-encrypted data to remote cloud storage.
18. The system of claim 17 , wherein the data in the payload from the first client is received by a multiplexer or a packet engine of the encryption gateway.
In the system described in Claim 17, the data in the payload received from the client is handled by either a multiplexer component or a packet engine within the encryption gateway.
19. The system of claim 17 , wherein the second encrypted data is sent to the remote cloud storage or server by a packet engine of the encryption gateway.
In the system of Claim 17, the final step of sending the doubly-encrypted data to the remote cloud storage or server is performed by a packet engine within the encryption gateway.
Unknown
October 17, 2017
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.